Retail security hacks may surge in 2014

SAN FRANCISCO -- The massive security breach that hit Target over the holidays may be only the beginning for the retail industry.

Attempts to hack into retailers' computer networks and steal credit card data and other customer information are likely to surge this year, cyber security experts say in the wake of the attacks on Target and luxury department store chain Neiman Marcus.

Target reported Friday that cyber thieves compromised the credit card data and personal information of as many as 110 million customers. That includes phone numbers, e-mail and home addresses, credit and debit card numbers, PINs, expiration
dates.

For the hackers involved, this breach could generate billions of dollars in illicit profits, according to David Kennedy, founder of TrustedSec, a cyber security consulting firm that works with some of the largest retailers.

The going rate for stolen data is about $80 per card, so if 70 million accounts were compromised, that would produce a $5.6 billion payday for hackers, he estimated. The
promise of such a return, from a hack that probably took six months to a year to organize, is likely to attract more hackers, Kennedy says.

"There will be a wave of attacks on the retail industry throughout the year," Kennedy says. "The Target hack exposed how vulnerable the industry is."

Wal-Mart Stores, the world's largest retailer, said Monday that it was not hit by any security breaches like the one Target suffered. Sears also said that its customer data was not compromised, as did Home Depot and Toys R Us.

However, Kennedy and other security experts expect more disclosures from other retailers saying they've been hit by similar hacks.

BitSight, a tech firm that rates companies on security breaches, examined Fortune 200 retailers, such as Target, Wal-Mart and CVS, and found an increase in cyber attacks in the fourth quarter of 2013.

"We observed more malicious activity on these networks in the second half of 2013," BitSight said Monday on its blog. "The majority of companies were quick to respond, but a few had botnets lingering for several days at a time."

BitSight gathers and analyzes data from sensors deployed around the globe looking for malicious activity, such as communication with a botnet -- a network of computers that have been taken over -- or malware distributor. It has no access to internal company network data.

BitSight's SecurityRatings range from 250 to 900; a higher rating indicates better
security performance. If ratings go down, as they did in the retail industry last year, it shows that company defenses are not as strong as they should be, the firm says.

"It's really hard for these large organizations to protect themselves from all these threats," BitSight co-founder Stephen Boyer told USA TODAY. "A lot of these attackers are well-funded and well-motivated -- and the payoffs are potentially high."

To increase their security, it's not just about investing in new technology, it's also about hiring security personnel at the executive level -- such as a chief risk officer or chief privacy officer -- and training all employees in the best security practices, Boyer says.

"The defender really has to lock every window and door," he says. "But the bad guy just has to find one open window."

The U.S. retail industry is likely to be a major hacking target for at least a year because new credit card security technology, known as EMV or chip and PIN, has yet to be fully implemented.

EMV, already in place in Europe, uses an encrypted chip that is embedded in a card and requires a personal identification number to access the data it stores to complete a payment. In the United States, the less-secure magnetic strip on cards is still used.

Industry experts say 90% to 95% of credit cards in the U.S. will have the chips within two years, but 1% to 5% of U.S. cards use the technology now.

"The U.S. is being targeted heavily now because we don't have the card security," says Chris Gates, a partner at LARES, a cyber security consulting firm that works with financial services companies, retailers and manufacturers.

"More and more retailers will be breached until we get firmly into the EMV chip and PIN technology," he added. "Hackers will go where the information they need is easiest to get."

In recent years, the financial-services industry has been hit by a series of hacks, but Gates sees the focus shifting to retail this year.

"When you look at the financial sector, its performance as a group is higher than retail," said BitSight's Boyer. "They have more assets at risk than the retail sector, but they are doing a better job at protecting those assets."